Skip to main content

Threat landscape

What is a zero-day and how do you defend against one?

In short

What makes a vulnerability a zero-day, why patching alone cannot stop one, and how detection and response limit damage when no fix exists yet.

Threat detection solutions

A vulnerability does not wait for a patch. There is a stretch of time, sometimes days, sometimes months, when a flaw in software is already known to an attacker but not yet to the vendor who could fix it. During that window the software runs exactly as before, your firewall sees nothing unusual, and your antivirus has no signature to match, because the attack it would need to recognise has never been catalogued. That gap between a flaw being usable and a fix existing is what makes a zero-day dangerous, and it is why the usual advice to "just patch" runs out of road.

What a zero-day is

A zero-day is a vulnerability that is being exploited before the vendor has a fix for it. The name is literal: the vendor has had zero days to prepare a patch by the time the attack is in use. Because the flaw is unknown or unaddressed, the defences that depend on knowing a threat in advance, signature-based antivirus and blocklists among them, have nothing to look for.

The term gets used loosely, and the distinction matters when you are deciding how to respond. Three related things travel under the same "zero-day" label.

TermWhat it means
Zero-day vulnerabilityThe underlying flaw in the software that the vendor has not yet fixed, and often does not yet know about
Zero-day exploitThe technique or code an attacker writes to take advantage of that flaw
Zero-day attackThe actual use of that exploit against a real target while no patch exists

The vulnerability is the weakness, the exploit is the tool, and the attack is the tool being used. A single vulnerability can spawn many exploits, and once a vendor ships a fix the flaw is no longer a zero-day, even though unpatched systems stay exposed for as long as they go unpatched.

  1. 01

    A flaw exists

    Software ships with a defect nobody has noticed. It sits there, usable but undiscovered, for as long as it takes someone to find it.

  2. 02

    An attacker finds it first

    A researcher who reports it responsibly starts a fix. An attacker who finds it first has a weapon that no defence is yet tuned to catch.

  3. 03

    Quiet exploitation

    The attacker builds an exploit and uses it selectively. There is no patch to apply and no signature to detect, so intrusions can run unnoticed.

  4. 04

    Disclosure and the patch race

    The vendor learns of the flaw and ships a fix. The danger does not end there: exploitation often continues against systems that have not applied the patch yet.

Why patching alone is not enough

Patching is the right habit, and most breaches still trace back to flaws that had a fix available and unapplied. But a zero-day is defined by the absence of a patch. You cannot patch what has no patch, so for the length of that window, the discipline that protects you most of the time offers nothing.

This changes what defence has to mean. If you cannot prevent the exploit, the goal becomes noticing it fast and stopping it from turning a single compromised machine into a company-wide incident. Defence shifts from keeping the attacker out to catching them early and containing them once they are in. That is a different capability from patch management, and it is the one that decides how a zero-day plays out.

How detection and response limit the damage

The reason detection can work where prevention cannot is that an exploit still has to do something. It runs code, escalates privileges, reaches out to a command server, or starts moving data. Signatures describe threats you have seen before; behaviour-based detection watches for those actions regardless of whether the underlying exploit has ever been catalogued. That is the core difference between traditional antivirus and modern endpoint detection, covered in antivirus vs EDR.

Detection is only half of it. An alert nobody acts on changes nothing, so the response side matters just as much: isolating the affected host, cutting off the attacker's access, and investigating how far they reached before they were caught. Wider platforms extend that view across endpoints, network, and cloud so a single anomaly can be traced through the whole environment, which is the ground covered in EDR vs XDR. The common thread is speed. A zero-day exploited at 2am is only as bad as the time it takes someone to notice and contain it, which is why a watched system beats an unwatched one even when both run the same tools.

Behaviour-based detection

EDR flags what a program does, not just what it is. A novel exploit that runs unusual commands or contacts an attacker still trips an alert with no signature involved.

Containment in the window

Once an intrusion is spotted, isolating the affected machine stops one compromised host from becoming a company-wide incident while a fix is still unavailable.

A team that is watching

Detection produces alerts; people produce outcomes. Analysts watching around the clock are what turn an early signal into a contained incident rather than a missed one.

The Indonesian picture

Zero-days are used against targets everywhere, and Indonesian organisations sit in the same firing line as any other. The exposure is rarely about being singled out. It comes from the ordinary reality of any estate: unpatched software, internet-facing services, and edge devices such as VPN gateways, firewalls, and email servers, which are attractive precisely because they are reachable from outside and often patched late. When a zero-day in one of those products is disclosed, the systems most likely to be hit are the ones that stayed exposed because no one was watching them closely.

For organisations here, the honest question is not whether a zero-day could reach you but how quickly you would know if it did. Many operate with lean security teams and no around-the-clock coverage, which means an intrusion that arrives with no patch and no signature can run for a long time before anyone notices. That is the gap that turns a manageable event into a serious breach, and closing it is a matter of detection capability rather than geography.

Where Alpha Code fits

You cannot promise to prevent every zero-day, and any vendor who claims otherwise is selling the wrong thing. What you can do is shorten the distance between an exploit landing and someone stopping it. Alpha Code's SOC-as-a-Service runs behaviour-based detection watched by analysts around the clock, so an unknown exploit that starts behaving badly is caught and contained rather than left to run. Paired with regular vulnerability assessment to keep the patchable attack surface small, that is the realistic defence against a threat that, by definition, arrives before its fix.

Reviewed by Mohit Bhansali, Head of Technology

Frequently asked questions

An attack is a zero-day when it exploits a software flaw that the vendor has not yet fixed. The name comes from the vendor having had zero days to prepare a patch. Because no fix exists and no signature describes the attack, ordinary defences that rely on knowing a threat in advance do not recognise it.

Related

Ready to strengthen your security posture?

Talk to our Jakarta-based team about your requirements.

Jakarta-based team. We reply within one business day.